IT Security budgets remain intact

The 17th Infosecurity Europe, which spanned three days in late April, witnessed a revolution taking place in the security space, with most CSOs and CISOs reporting that their IT security budgets, even in the cash-strapped public sector, remaining relatively intact. The show had an increase in attendance with 12,959 visitors attending the show compared to 10,482 in 2011. This underlines the importance that information security has to all sectors of the economy.

But against the backdrop of cybercrime reportedly costing the world an amazing $380 billion a year, says Neelie Kroes, the European Commission vice-president, this is still not enough to protect IT users and citizens.

In her keynote speech at the event, Kroes said that since everyone uses computers, cyberattacks can affect everyone, meaning that cybersecurity is no longer the domain of national security authorities and needs a comprehensive solution that involves governments, businesses and individuals.

To assist in this regard, she explained that the European Commission will present a plan - a European strategy for Internet security - in the third quarter of this year.

The plan will be is based around five key areas. Firstly, there is a need to build a network to respond to cyberthreats and share that information - EU member countries will be asked to guarantee their minimum capabilities to respond adequately to threats, as well as sharing critical information in a secure and confidential manner.

Secondly, says Kroes, there needs to be a governance structure with member countries being required to establish competent authorities to centralise information and create regional forums to support collaboration with the private sector.

Kroes added that the third aim of the strategy plan will be to improve security at every point in the supply chain. The fourth aim will centre on the creation of vibrant IT security market. The fifth prong of the EC’s strategy, she explained, is that Internet security is not a Europe-only problem, but an international one, meaning that everyone must be involved in the creation of a more secure Internet.

Despite the underlying theme this year being about the increasing trend towards BYOD (bring-your-own-device) into the workplace, Simon Wise, deputy head of the Ministry of Defence’s global operations security centre, effectively vetoed the idea far as Government agencies in the security sector.

At the MoD, he said in an Infosecurity Europe round table session: “We have a bring you own policy and it’s simple: Don’t!”

The key risk with BYOD, he told delegates, is the fact that unauthorised devices pose a serious threat to the rest of the network – which in the MoD’s case involves around 750,000 IP-enabled devices.

Wise revealed that the MoD deals with 200 different firm’s IT systems, of which it has 20 main suppliers. As a result, he says, its suppliers need to be more honest about their position in the market, rather than claiming they have a `magic box’ solution to cybersecurity requirements.

Wise’s caution is backed up by the results of joint survey between PricewaterhouseCoopers and the organisers of Infosecurity Europe, which found that one in seven large organisations has been hacked in the last year – and with 20 per cent of organisations spending less than just one per cent of their IT budget on information security.

Researchers found that as a result, the number of large organisations being hacked into is at a record high, with the overall cost of security breaches to UK PLC measured well into the billions of pounds mark a year.

The survey – which took in responses from a total of 447 UK organisations – found that 70 per cent of large organisations have detected significant attempts to break into their networks over the last year – a record high.

On average, each large organisation suffered 54 significant attacks by an unauthorised outsider during 2011 - twice the level in 2010 - whilst 15 per cent of large organisations had their networks successfully penetrated by hackers.

Risk of being hacked
According to Chris Potter, a PwC information security partner, the UK is under relentless cyber attack and hacking is a rising risk to businesses.
“The number of security breaches large organisations are experiencing has rocketed and as a result, the cost to UK plc of security breaches is running into billions every year. Since most businesses now share data with their business partners across the supply chain, these numbers are startling and make uncomfortable reading for business leaders,” he said.

“Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems. They also have more staff and more staff-related breaches which may explain why small businesses report fewer breaches than larger ones,” he added.

Potter went on to say that it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.

A major set of FOI (Freedom of Information) requests made to the ICO (Information Commissioner’s Office) has revealed that 35 per cent ICO complaints now centre on personal data disclosure.

From an FOI request, IT security specialist Axway found that during the first three months of 2012, the ICO had received 1,002 complaints. This, the data security specialist says, has raised concerns over the disclosure of personal data or breaches of the DPA: an average of eight breaches per day.

Axway also discovered that, since being formed in 1984 as the Data Protection Registrar, the Government’s data security regulator has received a total of 26,227 data protection complaints, which resulted in the regulator serving just 14 monetary penalties totalling £1.17 million in fines.

The monetary penalties imposed by the ICO, however, pale in significance when the indirect costs are considered - especially as the cost of data breaches have risen 70 per cent over the last five years, the firm claims.

As a result of its research, Axway is calling for a major rethink on how data is protected when it comes to Data Protection Act penalties and ICO intervention. Axway claims that, with Big Data management continuing to keep many CIOs and CISOs awake at night, data security will be of paramount concern in the future - regardless of current ICO enforceable legislation. In view of this, the firm adds that it is key for organisations to ensure their data is as secure as possible.

John Thielens, Axway’s chief security officer, said that information needs to be securely managed to prevent the data breaches that continue to be headline news around the world.

“The threat of ICO intervention should not be the business driver. It’s not surprising that the public is alarmed. Restoring public confidence with absolute visibility and concentrating on protecting their data, no matter where it lives, is paramount in today’s world,” he explained.

Tablet Developments
Over at Cryptzone, the data security firm says that the increasing use of tablet computers by members of staff has been behind the vendor’s development of the latest version of its NETconsent Compliance Suite, which supports a wide range of portable devices, including tablet computers.

The software is billed as ensuring that employees are aware of policies, are educated on the reasons why they are important and tested to see if they understand their responsibilities.

Dominic Saunders, Cryptzone’s vice president for the NETconsent Business Unit, said that, although many organisations have persisted in their refusal to allow employees to use some mobile devices for work, they are set to become commonplace in the business environment, just as with previous innovations.

Security policies and systems, he explained, need to catch up fast as a new generation of workers demand the ability to take advantage of the personal and business value such devices offer.

Rob Rachwald, security director with fellow data security specialist Imperva, meanwhile, said that organisations need to understand that the threats landscape has significantly changed over the last few years, as witnessed by the rise in political hacktivism.

Hack of the decade
This, he says, is what makes the Sony data security hack of spring 2011 so significant – arguably the most significant in the last ten years – meaning that that it will go down in the IT history books as being the most significant external hack of the last decade.

The reason, he says, is that the Sony breach marked one of the first times that a major company was seriously compromised by a group of external hackers. The Sony saga, he claims, showed hackers that they could seriously hurt a company on several levels if they put their mind to it.
ISACA, the not-for-profit IT security association which now has more than 95,000 members around the world, officially launched vesion 5 of its COBIT governance and management framework.

The COBIT 5 framework – which is available from the Association as a free download at www.isaca.org/cobit - provides globally accepted principles, practices, analytical tools and models designed to help business and IT leaders maximise trust in, and value from, their enterprise’s information and technology assets.

This update is the result of a four-year initiative led by a global task force and has been reviewed by more than 95 experts worldwide. To date, more than 16,000 professionals have pre-registered to receive a copy.

“The advance interest in COBIT 5 has been overwhelming. It is clear that enterprises everywhere are aggressively seeking guidance on how to manage and ensure value from the growing mountain of information and increasingly complex technologies they are grappling with,” said Derek Oliver, Ph.D., CISA, CISM, CRISC, CITP, FBCS, FISM, MInstISP, and co-chair of the COBIT 5 Task Force.

“Information is the currency of the 21st century, and COBIT helps enterprises effectively govern and manage this critical asset,” he added.

Further information
Infosecurity Europe 2013 takes place at Earls Court, London from 23-25th April. Visit www.infosec.co.uk for further information.

Please register to comment on this article